Load Training Data

In [5]:
from xml_reader import XMLReader
import plotly.graph_objects as go
import plotly.offline as pyo
from rule_classifier import Analyzer

pyo.init_notebook_mode()

# read training data
input_data = [(i, XMLReader(f"Logs/Train/Person_{i}/Security.xml", f"Logs/Train/Person_{i}/Sysmon.xml")) for i in range(1, 7)]
analyzer = Analyzer(input_data)

Occurence

In [18]:
import json

for attr in analyzer.occurence:
    x = [label for label in analyzer.occurence[attr]]
    y = [analyzer.occurence[attr][label] for label in x]
    bar = go.Bar(name='occurence', x=[f'Person{label}' for label in x], y=y, text=[round(n,2) for n in y], textposition='auto')
    
    print(f"# {attr}")
    print(json.dumps(analyzer.occurence[attr], indent=4))
    
    fig = go.Figure(data=[bar])
    fig.update_layout(xaxis_type='category', title_text=attr, barmode='group')
    fig.show()
# system.EventID
{
    "1": 1.0,
    "2": 1.0,
    "3": 1.0,
    "4": 1.0,
    "5": 1.0,
    "6": 1.0
}
# event_data.ObjectType
{
    "1": 0.0020242914979757085,
    "2": 0,
    "3": 0.902600082542303,
    "4": 0,
    "5": 0.004036908881199538,
    "6": 0.001392757660167131
}
# event_data.TargetProcessId
{
    "1": 0,
    "2": 0.007936507936507936,
    "3": 0,
    "4": 0.049079754601226995,
    "5": 0,
    "6": 0
}
# event_data.Image
{
    "1": 0.8360323886639676,
    "2": 0.8869047619047619,
    "3": 0.07985967808501858,
    "4": 0.4279141104294479,
    "5": 0.5893886966551326,
    "6": 0.9345403899721448
}
# event_data.TargetUserName
{
    "1": 0.0931174089068826,
    "2": 0.041666666666666664,
    "3": 0.01011143210895584,
    "4": 0.05674846625766871,
    "5": 0.1707035755478662,
    "6": 0.01532033426183844
}
# event_data.TargetImage
{
    "1": 0,
    "2": 0.007936507936507936,
    "3": 0,
    "4": 0.049079754601226995,
    "5": 0,
    "6": 0
}
# event_data.NewThreadId
{
    "1": 0,
    "2": 0.007936507936507936,
    "3": 0,
    "4": 0.049079754601226995,
    "5": 0,
    "6": 0
}
# event_data.Hash
{
    "1": 0,
    "2": 0,
    "3": 0.0012381345439537762,
    "4": 0,
    "5": 0.006920415224913495,
    "6": 0
}
# event_data.ParentImage
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.ProviderName
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0.003067484662576687,
    "5": 0.002306805074971165,
    "6": 0
}
# event_data.IntegrityLevel
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# system.Security.UserID
{
    "1": 0.8360323886639676,
    "2": 0.8948412698412699,
    "3": 0.07985967808501858,
    "4": 0.47699386503067487,
    "5": 0.5893886966551326,
    "6": 0.9345403899721448
}
# event_data.QueryStatus
{
    "1": 0.24898785425101214,
    "2": 0.27380952380952384,
    "3": 0.02042921997523731,
    "4": 0.21932515337423314,
    "5": 0.052479815455594,
    "6": 0.6337047353760445
}
# event_data.AlgorithmName
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0.003067484662576687,
    "5": 0.002306805074971165,
    "6": 0
}
# event_data.KeyType
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0.003067484662576687,
    "5": 0.002306805074971165,
    "6": 0
}
# event_data.Hashes
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.ImpersonationLevel
{
    "1": 0.05668016194331984,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04141104294478527,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# event_data.QueryResults
{
    "1": 0.19838056680161945,
    "2": 0.25,
    "3": 0.0175402393726785,
    "4": 0.20552147239263804,
    "5": 0.040945790080738176,
    "6": 0.6030640668523677
}
# event_data.DestinationHostname
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.06170703575547866,
    "6": 0
}
# event_data.SubjectUserSid
{
    "1": 0.15991902834008098,
    "2": 0.10515873015873016,
    "3": 0.9201403219149814,
    "4": 0.13803680981595093,
    "5": 0.41061130334486734,
    "6": 0.06545961002785515
}
# event_data.Initiated
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.DestinationIsIpv6
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.StartFunction
{
    "1": 0,
    "2": 0.0,
    "3": 0,
    "4": 0.0,
    "5": 0,
    "6": 0
}
# event_data.LogonType
{
    "1": 0.06275303643724696,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04447852760736196,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.Operation
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0.003067484662576687,
    "5": 0.002306805074971165,
    "6": 0
}
# event_data.SubjectLogonId
{
    "1": 0.15991902834008098,
    "2": 0.10515873015873016,
    "3": 0.9201403219149814,
    "4": 0.13803680981595093,
    "5": 0.41061130334486734,
    "6": 0.06545961002785515
}
# event_data.ReadOperation
{
    "1": 0.012145748987854251,
    "2": 0.031746031746031744,
    "3": 0.0012381345439537762,
    "4": 0.03987730061349693,
    "5": 0.2104959630911188,
    "6": 0.03203342618384401
}
# event_data.OriginalFileName
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# system.Correlation.ActivityID
{
    "1": 0.15587044534412955,
    "2": 0.10515873015873016,
    "3": 0.0175402393726785,
    "4": 0.13803680981595093,
    "5": 0.40657439446366783,
    "6": 0.06267409470752089
}
# event_data.WorkstationName
{
    "1": 0.058704453441295545,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04141104294478527,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.SourceIp
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.TargetLogonId
{
    "1": 0.06072874493927125,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04447852760736196,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# system.Keywords
{
    "1": 1.0,
    "2": 1.0,
    "3": 1.0,
    "4": 1.0,
    "5": 1.0,
    "6": 1.0
}
# event_data.LogonProcessName
{
    "1": 0.058704453441295545,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04141104294478527,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.ObjectName
{
    "1": 0.0020242914979757085,
    "2": 0,
    "3": 0.902600082542303,
    "4": 0,
    "5": 0.004036908881199538,
    "6": 0.001392757660167131
}
# event_data.ReturnCode
{
    "1": 0.012145748987854251,
    "2": 0.031746031746031744,
    "3": 0.0012381345439537762,
    "4": 0.04294478527607362,
    "5": 0.21280276816608998,
    "6": 0.03203342618384401
}
# event_data.TargetSid
{
    "1": 0.018218623481781375,
    "2": 0.007936507936507936,
    "3": 0.0035080478745356997,
    "4": 0.009202453987730062,
    "5": 0.016147635524798153,
    "6": 0
}
# event_data.IpPort
{
    "1": 0.06072874493927125,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04294478527607362,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.LmPackageName
{
    "1": 0.058704453441295545,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04141104294478527,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.Workstation
{
    "1": 0.010121457489878543,
    "2": 0,
    "3": 0.0002063557573256294,
    "4": 0.0015337423312883436,
    "5": 0.12975778546712802,
    "6": 0
}
# event_data.TerminalSessionId
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.SourceProcessId
{
    "1": 0,
    "2": 0.007936507936507936,
    "3": 0,
    "4": 0.049079754601226995,
    "5": 0,
    "6": 0
}
# event_data.CreationUtcTime
{
    "1": 0.20445344129554655,
    "2": 0.2123015873015873,
    "3": 0.03714403631861329,
    "4": 0.032208588957055216,
    "5": 0.24106113033448673,
    "6": 0.19637883008356546
}
# event_data.StartAddress
{
    "1": 0,
    "2": 0.007936507936507936,
    "3": 0,
    "4": 0.049079754601226995,
    "5": 0,
    "6": 0
}
# event_data.CurrentDirectory
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.RuleName
{
    "1": 0.27125506072874495,
    "2": 0.2003968253968254,
    "3": 0.038175815105241435,
    "4": 0.05828220858895705,
    "5": 0.3788927335640138,
    "6": 0.18523676880222842
}
# event_data.User
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.1707035755478662,
    "6": 0.0947075208913649
}
# event_data.KeyName
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0.003067484662576687,
    "5": 0.002306805074971165,
    "6": 0
}
# event_data.ParentCommandLine
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.ElevatedToken
{
    "1": 0.05668016194331984,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04141104294478527,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# event_data.SourceProcessGuid
{
    "1": 0,
    "2": 0.007936507936507936,
    "3": 0,
    "4": 0.049079754601226995,
    "5": 0,
    "6": 0
}
# event_data.ParentProcessGuid
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.EventType
{
    "1": 0.15789473684210525,
    "2": 0.013888888888888888,
    "3": 0.007222451506397029,
    "4": 0.0598159509202454,
    "5": 0.11591695501730104,
    "6": 0.006963788300835654
}
# event_data.param1
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0.38190184049079756,
    "5": 0,
    "6": 0
}
# event_data.TargetProcessGuid
{
    "1": 0,
    "2": 0.007936507936507936,
    "3": 0,
    "4": 0.049079754601226995,
    "5": 0,
    "6": 0
}
# event_data.AuthenticationPackageName
{
    "1": 0.058704453441295545,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04141104294478527,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.KeyLength
{
    "1": 0.058704453441295545,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04141104294478527,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.TargetName
{
    "1": 0.012145748987854251,
    "2": 0.031746031746031744,
    "3": 0.0012381345439537762,
    "4": 0.03987730061349693,
    "5": 0.2104959630911188,
    "6": 0.03203342618384401
}
# system.Version
{
    "1": 1.0,
    "2": 1.0,
    "3": 1.0,
    "4": 1.0,
    "5": 1.0,
    "6": 1.0
}
# event_data.LogonId
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.IpAddress
{
    "1": 0.06072874493927125,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04294478527607362,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.FileVersion
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.Company
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014032191498142799,
    "4": 0.09049079754601227,
    "5": 0.08823529411764706,
    "6": 0.08913649025069638
}
# event_data.TargetOutboundUserName
{
    "1": 0.05668016194331984,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04141104294478527,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# event_data.TargetFilename
{
    "1": 0.20445344129554655,
    "2": 0.2123015873015873,
    "3": 0.03714403631861329,
    "4": 0.032208588957055216,
    "5": 0.24106113033448673,
    "6": 0.19637883008356546
}
# event_data.ObjectServer
{
    "1": 0.0020242914979757085,
    "2": 0,
    "3": 0.902600082542303,
    "4": 0,
    "5": 0.004036908881199538,
    "6": 0.001392757660167131
}
# event_data.UtcTime
{
    "1": 0.8360323886639676,
    "2": 0.8948412698412699,
    "3": 0.07985967808501858,
    "4": 0.47699386503067487,
    "5": 0.5893886966551326,
    "6": 0.9345403899721448
}
# event_data.Protocol
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.TargetOutboundDomainName
{
    "1": 0.05668016194331984,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04141104294478527,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# event_data.SubjectDomainName
{
    "1": 0.15991902834008098,
    "2": 0.10515873015873016,
    "3": 0.9201403219149814,
    "4": 0.13803680981595093,
    "5": 0.41061130334486734,
    "6": 0.06545961002785515
}
# event_data.ProcessName
{
    "1": 0.06477732793522267,
    "2": 0.03373015873015873,
    "3": 0.9089971110193974,
    "4": 0.04294478527607362,
    "5": 0.02883506343713956,
    "6": 0.018105849582172703
}
# system.Task
{
    "1": 1.0,
    "2": 1.0,
    "3": 1.0,
    "4": 1.0,
    "5": 1.0,
    "6": 1.0
}
# event_data.ClientCreationTime
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0.0015337423312883436,
    "5": 0.0011534025374855825,
    "6": 0
}
# label
{
    "1": 1.0,
    "2": 1.0,
    "3": 1.0,
    "4": 1.0,
    "5": 1.0,
    "6": 1.0
}
# event_data.HandleId
{
    "1": 0.0020242914979757085,
    "2": 0,
    "3": 0.902600082542303,
    "4": 0,
    "5": 0.004036908881199538,
    "6": 0.001392757660167131
}
# event_data.NewSd
{
    "1": 0.0020242914979757085,
    "2": 0,
    "3": 0.902600082542303,
    "4": 0,
    "5": 0.004036908881199538,
    "6": 0.001392757660167131
}
# event_data.CommandLine
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.CountOfCredentialsReturned
{
    "1": 0.012145748987854251,
    "2": 0.031746031746031744,
    "3": 0.0012381345439537762,
    "4": 0.03987730061349693,
    "5": 0.2104959630911188,
    "6": 0.03203342618384401
}
# event_data.VirtualAccount
{
    "1": 0.05668016194331984,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04141104294478527,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# event_data.RestrictedAdminMode
{
    "1": 0.05668016194331984,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04141104294478527,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# event_data.Product
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.SourcePort
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.DestinationPort
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.TargetLinkedLogonId
{
    "1": 0.05668016194331984,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04141104294478527,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# event_data.TransmittedServices
{
    "1": 0.058704453441295545,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04141104294478527,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}
# event_data.SubjectUserName
{
    "1": 0.15991902834008098,
    "2": 0.10515873015873016,
    "3": 0.9201403219149814,
    "4": 0.13803680981595093,
    "5": 0.41061130334486734,
    "6": 0.06545961002785515
}
# event_data.Details
{
    "1": 0.1396761133603239,
    "2": 0.013888888888888888,
    "3": 0.006603384234420141,
    "4": 0.0598159509202454,
    "5": 0.11418685121107267,
    "6": 0.006963788300835654
}
# event_data.TargetDomainName
{
    "1": 0.0931174089068826,
    "2": 0.041666666666666664,
    "3": 0.01011143210895584,
    "4": 0.05674846625766871,
    "5": 0.1707035755478662,
    "6": 0.01532033426183844
}
# event_data.DestinationIp
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.SourcePortName
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.0,
    "6": 0
}
# event_data.Type
{
    "1": 0.012145748987854251,
    "2": 0.031746031746031744,
    "3": 0.0012381345439537762,
    "4": 0.03987730061349693,
    "5": 0.2104959630911188,
    "6": 0.03203342618384401
}
# event_data.SourceImage
{
    "1": 0,
    "2": 0.007936507936507936,
    "3": 0,
    "4": 0.049079754601226995,
    "5": 0,
    "6": 0
}
# event_data.CallerProcessName
{
    "1": 0.018218623481781375,
    "2": 0.007936507936507936,
    "3": 0.0035080478745356997,
    "4": 0.009202453987730062,
    "5": 0.016147635524798153,
    "6": 0
}
# event_data.ParentProcessId
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.TargetObject
{
    "1": 0.15789473684210525,
    "2": 0.013888888888888888,
    "3": 0.007222451506397029,
    "4": 0.0598159509202454,
    "5": 0.11591695501730104,
    "6": 0.006963788300835654
}
# event_data.KeyFilePath
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0.0015337423312883436,
    "5": 0.0011534025374855825,
    "6": 0
}
# event_data.SourceHostname
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.StartModule
{
    "1": 0,
    "2": 0.0,
    "3": 0,
    "4": 0.0,
    "5": 0,
    "6": 0
}
# event_data.DestinationPortName
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.021337946943483274,
    "6": 0
}
# event_data.SourceIsIpv6
{
    "1": 0,
    "2": 0,
    "3": 0,
    "4": 0,
    "5": 0.08246828143021914,
    "6": 0
}
# event_data.Description
{
    "1": 0.22469635627530365,
    "2": 0.3492063492063492,
    "3": 0.014857614527445316,
    "4": 0.10276073619631902,
    "5": 0.08823529411764706,
    "6": 0.0947075208913649
}
# event_data.PrivilegeList
{
    "1": 0.05465587044534413,
    "2": 0.031746031746031744,
    "3": 0.006190672719768881,
    "4": 0.04141104294478527,
    "5": 0.02306805074971165,
    "6": 0.01532033426183844
}
# event_data.QueryName
{
    "1": 0.24898785425101214,
    "2": 0.27380952380952384,
    "3": 0.02042921997523731,
    "4": 0.21932515337423314,
    "5": 0.052479815455594,
    "6": 0.6337047353760445
}
# event_data.LogonGuid
{
    "1": 0.2834008097165992,
    "2": 0.38095238095238093,
    "3": 0.021048287247214196,
    "4": 0.14570552147239263,
    "5": 0.11130334486735871,
    "6": 0.11002785515320335
}
# event_data.TargetUserSid
{
    "1": 0.06275303643724696,
    "2": 0.03373015873015873,
    "3": 0.0063970284770945105,
    "4": 0.04447852760736196,
    "5": 0.024798154555940023,
    "6": 0.01532033426183844
}

Composition

In [16]:
for attr in analyzer.statistics:
    bars = []
    if len(analyzer.value_dict[attr]) > 15:
        continue
        
    print(f"\n# {attr}")
    
    for label in analyzer.statistics[attr]:
        print(f"  - Person{label}:")
        print(f"\t{analyzer.statistics[attr][label]}")
              
        x = [n for n in analyzer.statistics[attr][label]]
        y = [analyzer.statistics[attr][label][n] for n in analyzer.statistics[attr][label]]
    
        bars.append(go.Bar(name=f'Person{label}', x=x, y=y))
    
    fig = go.Figure(data=bars)
    fig.update_layout(xaxis_type='category', title_text=attr, barmode='group')
    fig.show()
# event_data.ObjectType
  - Person1:
	{None: 493, 'File': 1}
  - Person2:
	{None: 0, 'File': 0}
  - Person3:
	{None: 472, 'File': 4374}
  - Person4:
	{None: 0, 'File': 0}
  - Person5:
	{None: 1727, 'File': 7}
  - Person6:
	{None: 717, 'File': 1}
# event_data.TargetProcessId
  - Person1:
	{None: 0, '544': 0, '536': 0}
  - Person2:
	{None: 500, '544': 4, '536': 0}
  - Person3:
	{None: 0, '544': 0, '536': 0}
  - Person4:
	{None: 620, '544': 0, '536': 32}
  - Person5:
	{None: 0, '544': 0, '536': 0}
  - Person6:
	{None: 0, '544': 0, '536': 0}
# event_data.TargetUserName
  - Person1:
	{'SYSTEM': 26, 'DWM-1': 0, 'Backup Operators': 0, 'WDAGUtilityAccount': 1, 'Administrator': 2, 'Administrators': 0, 'DefaultAccount': 1, None: 448, 'NS': 11, 'Guest': 5}
  - Person2:
	{'SYSTEM': 16, 'DWM-1': 0, 'Backup Operators': 0, 'WDAGUtilityAccount': 0, 'Administrator': 0, 'Administrators': 0, 'DefaultAccount': 0, None: 483, 'NS': 5, 'Guest': 0}
  - Person3:
	{'SYSTEM': 30, 'DWM-1': 0, 'Backup Operators': 5, 'WDAGUtilityAccount': 0, 'Administrator': 1, 'Administrators': 5, 'DefaultAccount': 0, None: 4797, 'NS': 4, 'Guest': 4}
  - Person4:
	{'SYSTEM': 25, 'DWM-1': 5, 'Backup Operators': 0, 'WDAGUtilityAccount': 0, 'Administrator': 1, 'Administrators': 0, 'DefaultAccount': 0, None: 615, 'NS': 2, 'Guest': 4}
  - Person5:
	{'SYSTEM': 40, 'DWM-1': 0, 'Backup Operators': 8, 'WDAGUtilityAccount': 56, 'Administrator': 57, 'Administrators': 8, 'DefaultAccount': 56, None: 1438, 'NS': 11, 'Guest': 60}
  - Person6:
	{'SYSTEM': 11, 'DWM-1': 0, 'Backup Operators': 0, 'WDAGUtilityAccount': 0, 'Administrator': 0, 'Administrators': 0, 'DefaultAccount': 0, None: 707, 'NS': 0, 'Guest': 0}
# event_data.TargetImage
  - Person1:
	{None: 0, 'C:\\Windows\\System32\\csrss.exe': 0}
  - Person2:
	{None: 500, 'C:\\Windows\\System32\\csrss.exe': 4}
  - Person3:
	{None: 0, 'C:\\Windows\\System32\\csrss.exe': 0}
  - Person4:
	{None: 620, 'C:\\Windows\\System32\\csrss.exe': 32}
  - Person5:
	{None: 0, 'C:\\Windows\\System32\\csrss.exe': 0}
  - Person6:
	{None: 0, 'C:\\Windows\\System32\\csrss.exe': 0}
# event_data.Hash
  - Person1:
	{'MD5=EFED1CD90742F6FCDDB8942DD21AC2AC,SHA256=F7D10A8020011B4D10C93F15B2526C63F9B4E4F793EB731CAB4B380D8AE6A313,IMPHASH=00000000000000000000000000000000': 0, 'MD5=5E732B01D021FEA585F0874407E6BE6C,SHA256=BCBBEAB9FDD35F9079A5E26A1E7156838364538B563A9B5DC1459F467D938CE2,IMPHASH=00000000000000000000000000000000': 0, 'MD5=6915F430B0C93840A1B3212B8F82F99A,SHA256=0AFB8A266A27B6A9B863D78A2B8087FA2D1CE5AB5B412B645B8377ABF2DD3E68,IMPHASH=00000000000000000000000000000000': 0, 'MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000': 0, 'MD5=BA446AFE6CE2341D9DDE43BD50DA7167,SHA256=E51CAD403CAFA19AE3D19B0B8B5F6AE61F7231047D8041CFF4CFED2F57D4100F,IMPHASH=00000000000000000000000000000000': 0, 'MD5=452373E2C467C14220EFEB10F40C231F,SHA256=E5EA9F5646FE3CFF2621B61A55A98EA5B3E9CA7DD7CC14C13535E55C88686872,IMPHASH=D7E2FD259780271687FFCA462B9E69B7': 0, 'MD5=D2E7685A60E27FA8408AC96336CA77A0,SHA256=E3E800946E4B1EE146F942CDFDA27B8C94B9DBABBDFD76B4515FB6BF00B9A888,IMPHASH=00000000000000000000000000000000': 0, 'MD5=56F6DC8E5B4D9F36F3F5732A5992E6A6,SHA256=8858955289BD86743B356DF90A8D45E608000973E66BE17CFBE9B70ADBD77209,IMPHASH=20DD26497880C05CAED9305B3C8B9109': 0, None: 0, 'MD5=C978088F04B0D519F04D76E76FB42CD4,SHA256=C4CFC46F50D9A051EEC3375C14E61CFE8B1A0290CAF16DC161B64828BC34CA2A,IMPHASH=00000000000000000000000000000000': 0, 'MD5=592ED72E3636996BE037E7A26B595895,SHA256=583E892750B46FA7AA6E62FC8A324E4F34D9A7263B9D90CC0229DEEDC900B382,IMPHASH=00000000000000000000000000000000': 0}
  - Person2:
	{'MD5=EFED1CD90742F6FCDDB8942DD21AC2AC,SHA256=F7D10A8020011B4D10C93F15B2526C63F9B4E4F793EB731CAB4B380D8AE6A313,IMPHASH=00000000000000000000000000000000': 0, 'MD5=5E732B01D021FEA585F0874407E6BE6C,SHA256=BCBBEAB9FDD35F9079A5E26A1E7156838364538B563A9B5DC1459F467D938CE2,IMPHASH=00000000000000000000000000000000': 0, 'MD5=6915F430B0C93840A1B3212B8F82F99A,SHA256=0AFB8A266A27B6A9B863D78A2B8087FA2D1CE5AB5B412B645B8377ABF2DD3E68,IMPHASH=00000000000000000000000000000000': 0, 'MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000': 0, 'MD5=BA446AFE6CE2341D9DDE43BD50DA7167,SHA256=E51CAD403CAFA19AE3D19B0B8B5F6AE61F7231047D8041CFF4CFED2F57D4100F,IMPHASH=00000000000000000000000000000000': 0, 'MD5=452373E2C467C14220EFEB10F40C231F,SHA256=E5EA9F5646FE3CFF2621B61A55A98EA5B3E9CA7DD7CC14C13535E55C88686872,IMPHASH=D7E2FD259780271687FFCA462B9E69B7': 0, 'MD5=D2E7685A60E27FA8408AC96336CA77A0,SHA256=E3E800946E4B1EE146F942CDFDA27B8C94B9DBABBDFD76B4515FB6BF00B9A888,IMPHASH=00000000000000000000000000000000': 0, 'MD5=56F6DC8E5B4D9F36F3F5732A5992E6A6,SHA256=8858955289BD86743B356DF90A8D45E608000973E66BE17CFBE9B70ADBD77209,IMPHASH=20DD26497880C05CAED9305B3C8B9109': 0, None: 0, 'MD5=C978088F04B0D519F04D76E76FB42CD4,SHA256=C4CFC46F50D9A051EEC3375C14E61CFE8B1A0290CAF16DC161B64828BC34CA2A,IMPHASH=00000000000000000000000000000000': 0, 'MD5=592ED72E3636996BE037E7A26B595895,SHA256=583E892750B46FA7AA6E62FC8A324E4F34D9A7263B9D90CC0229DEEDC900B382,IMPHASH=00000000000000000000000000000000': 0}
  - Person3:
	{'MD5=EFED1CD90742F6FCDDB8942DD21AC2AC,SHA256=F7D10A8020011B4D10C93F15B2526C63F9B4E4F793EB731CAB4B380D8AE6A313,IMPHASH=00000000000000000000000000000000': 0, 'MD5=5E732B01D021FEA585F0874407E6BE6C,SHA256=BCBBEAB9FDD35F9079A5E26A1E7156838364538B563A9B5DC1459F467D938CE2,IMPHASH=00000000000000000000000000000000': 0, 'MD5=6915F430B0C93840A1B3212B8F82F99A,SHA256=0AFB8A266A27B6A9B863D78A2B8087FA2D1CE5AB5B412B645B8377ABF2DD3E68,IMPHASH=00000000000000000000000000000000': 0, 'MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000': 1, 'MD5=BA446AFE6CE2341D9DDE43BD50DA7167,SHA256=E51CAD403CAFA19AE3D19B0B8B5F6AE61F7231047D8041CFF4CFED2F57D4100F,IMPHASH=00000000000000000000000000000000': 1, 'MD5=452373E2C467C14220EFEB10F40C231F,SHA256=E5EA9F5646FE3CFF2621B61A55A98EA5B3E9CA7DD7CC14C13535E55C88686872,IMPHASH=D7E2FD259780271687FFCA462B9E69B7': 0, 'MD5=D2E7685A60E27FA8408AC96336CA77A0,SHA256=E3E800946E4B1EE146F942CDFDA27B8C94B9DBABBDFD76B4515FB6BF00B9A888,IMPHASH=00000000000000000000000000000000': 0, 'MD5=56F6DC8E5B4D9F36F3F5732A5992E6A6,SHA256=8858955289BD86743B356DF90A8D45E608000973E66BE17CFBE9B70ADBD77209,IMPHASH=20DD26497880C05CAED9305B3C8B9109': 0, None: 4840, 'MD5=C978088F04B0D519F04D76E76FB42CD4,SHA256=C4CFC46F50D9A051EEC3375C14E61CFE8B1A0290CAF16DC161B64828BC34CA2A,IMPHASH=00000000000000000000000000000000': 1, 'MD5=592ED72E3636996BE037E7A26B595895,SHA256=583E892750B46FA7AA6E62FC8A324E4F34D9A7263B9D90CC0229DEEDC900B382,IMPHASH=00000000000000000000000000000000': 3}
  - Person4:
	{'MD5=EFED1CD90742F6FCDDB8942DD21AC2AC,SHA256=F7D10A8020011B4D10C93F15B2526C63F9B4E4F793EB731CAB4B380D8AE6A313,IMPHASH=00000000000000000000000000000000': 0, 'MD5=5E732B01D021FEA585F0874407E6BE6C,SHA256=BCBBEAB9FDD35F9079A5E26A1E7156838364538B563A9B5DC1459F467D938CE2,IMPHASH=00000000000000000000000000000000': 0, 'MD5=6915F430B0C93840A1B3212B8F82F99A,SHA256=0AFB8A266A27B6A9B863D78A2B8087FA2D1CE5AB5B412B645B8377ABF2DD3E68,IMPHASH=00000000000000000000000000000000': 0, 'MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000': 0, 'MD5=BA446AFE6CE2341D9DDE43BD50DA7167,SHA256=E51CAD403CAFA19AE3D19B0B8B5F6AE61F7231047D8041CFF4CFED2F57D4100F,IMPHASH=00000000000000000000000000000000': 0, 'MD5=452373E2C467C14220EFEB10F40C231F,SHA256=E5EA9F5646FE3CFF2621B61A55A98EA5B3E9CA7DD7CC14C13535E55C88686872,IMPHASH=D7E2FD259780271687FFCA462B9E69B7': 0, 'MD5=D2E7685A60E27FA8408AC96336CA77A0,SHA256=E3E800946E4B1EE146F942CDFDA27B8C94B9DBABBDFD76B4515FB6BF00B9A888,IMPHASH=00000000000000000000000000000000': 0, 'MD5=56F6DC8E5B4D9F36F3F5732A5992E6A6,SHA256=8858955289BD86743B356DF90A8D45E608000973E66BE17CFBE9B70ADBD77209,IMPHASH=20DD26497880C05CAED9305B3C8B9109': 0, None: 0, 'MD5=C978088F04B0D519F04D76E76FB42CD4,SHA256=C4CFC46F50D9A051EEC3375C14E61CFE8B1A0290CAF16DC161B64828BC34CA2A,IMPHASH=00000000000000000000000000000000': 0, 'MD5=592ED72E3636996BE037E7A26B595895,SHA256=583E892750B46FA7AA6E62FC8A324E4F34D9A7263B9D90CC0229DEEDC900B382,IMPHASH=00000000000000000000000000000000': 0}
  - Person5:
	{'MD5=EFED1CD90742F6FCDDB8942DD21AC2AC,SHA256=F7D10A8020011B4D10C93F15B2526C63F9B4E4F793EB731CAB4B380D8AE6A313,IMPHASH=00000000000000000000000000000000': 1, 'MD5=5E732B01D021FEA585F0874407E6BE6C,SHA256=BCBBEAB9FDD35F9079A5E26A1E7156838364538B563A9B5DC1459F467D938CE2,IMPHASH=00000000000000000000000000000000': 1, 'MD5=6915F430B0C93840A1B3212B8F82F99A,SHA256=0AFB8A266A27B6A9B863D78A2B8087FA2D1CE5AB5B412B645B8377ABF2DD3E68,IMPHASH=00000000000000000000000000000000': 1, 'MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000': 2, 'MD5=BA446AFE6CE2341D9DDE43BD50DA7167,SHA256=E51CAD403CAFA19AE3D19B0B8B5F6AE61F7231047D8041CFF4CFED2F57D4100F,IMPHASH=00000000000000000000000000000000': 0, 'MD5=452373E2C467C14220EFEB10F40C231F,SHA256=E5EA9F5646FE3CFF2621B61A55A98EA5B3E9CA7DD7CC14C13535E55C88686872,IMPHASH=D7E2FD259780271687FFCA462B9E69B7': 3, 'MD5=D2E7685A60E27FA8408AC96336CA77A0,SHA256=E3E800946E4B1EE146F942CDFDA27B8C94B9DBABBDFD76B4515FB6BF00B9A888,IMPHASH=00000000000000000000000000000000': 1, 'MD5=56F6DC8E5B4D9F36F3F5732A5992E6A6,SHA256=8858955289BD86743B356DF90A8D45E608000973E66BE17CFBE9B70ADBD77209,IMPHASH=20DD26497880C05CAED9305B3C8B9109': 3, None: 1722, 'MD5=C978088F04B0D519F04D76E76FB42CD4,SHA256=C4CFC46F50D9A051EEC3375C14E61CFE8B1A0290CAF16DC161B64828BC34CA2A,IMPHASH=00000000000000000000000000000000': 0, 'MD5=592ED72E3636996BE037E7A26B595895,SHA256=583E892750B46FA7AA6E62FC8A324E4F34D9A7263B9D90CC0229DEEDC900B382,IMPHASH=00000000000000000000000000000000': 0}
  - Person6:
	{'MD5=EFED1CD90742F6FCDDB8942DD21AC2AC,SHA256=F7D10A8020011B4D10C93F15B2526C63F9B4E4F793EB731CAB4B380D8AE6A313,IMPHASH=00000000000000000000000000000000': 0, 'MD5=5E732B01D021FEA585F0874407E6BE6C,SHA256=BCBBEAB9FDD35F9079A5E26A1E7156838364538B563A9B5DC1459F467D938CE2,IMPHASH=00000000000000000000000000000000': 0, 'MD5=6915F430B0C93840A1B3212B8F82F99A,SHA256=0AFB8A266A27B6A9B863D78A2B8087FA2D1CE5AB5B412B645B8377ABF2DD3E68,IMPHASH=00000000000000000000000000000000': 0, 'MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000': 0, 'MD5=BA446AFE6CE2341D9DDE43BD50DA7167,SHA256=E51CAD403CAFA19AE3D19B0B8B5F6AE61F7231047D8041CFF4CFED2F57D4100F,IMPHASH=00000000000000000000000000000000': 0, 'MD5=452373E2C467C14220EFEB10F40C231F,SHA256=E5EA9F5646FE3CFF2621B61A55A98EA5B3E9CA7DD7CC14C13535E55C88686872,IMPHASH=D7E2FD259780271687FFCA462B9E69B7': 0, 'MD5=D2E7685A60E27FA8408AC96336CA77A0,SHA256=E3E800946E4B1EE146F942CDFDA27B8C94B9DBABBDFD76B4515FB6BF00B9A888,IMPHASH=00000000000000000000000000000000': 0, 'MD5=56F6DC8E5B4D9F36F3F5732A5992E6A6,SHA256=8858955289BD86743B356DF90A8D45E608000973E66BE17CFBE9B70ADBD77209,IMPHASH=20DD26497880C05CAED9305B3C8B9109': 0, None: 0, 'MD5=C978088F04B0D519F04D76E76FB42CD4,SHA256=C4CFC46F50D9A051EEC3375C14E61CFE8B1A0290CAF16DC161B64828BC34CA2A,IMPHASH=00000000000000000000000000000000': 0, 'MD5=592ED72E3636996BE037E7A26B595895,SHA256=583E892750B46FA7AA6E62FC8A324E4F34D9A7263B9D90CC0229DEEDC900B382,IMPHASH=00000000000000000000000000000000': 0}
# event_data.ProviderName
  - Person1:
	{None: 0, 'Microsoft Software Key Storage Provider': 0}
  - Person2:
	{None: 0, 'Microsoft Software Key Storage Provider': 0}
  - Person3:
	{None: 0, 'Microsoft Software Key Storage Provider': 0}
  - Person4:
	{None: 650, 'Microsoft Software Key Storage Provider': 2}
  - Person5:
	{None: 1730, 'Microsoft Software Key Storage Provider': 4}
  - Person6:
	{None: 0, 'Microsoft Software Key Storage Provider': 0}
# event_data.IntegrityLevel
  - Person1:
	{'System': 69, 'Low': 1, 'Medium': 37, None: 383, 'High': 4}
  - Person2:
	{'System': 24, 'Low': 1, 'Medium': 148, None: 328, 'High': 3}
  - Person3:
	{'System': 42, 'Low': 1, 'Medium': 21, None: 4774, 'High': 8}
  - Person4:
	{'System': 24, 'Low': 0, 'Medium': 42, None: 585, 'High': 1}
  - Person5:
	{'System': 81, 'Low': 5, 'Medium': 60, None: 1581, 'High': 7}
  - Person6:
	{'System': 45, 'Low': 0, 'Medium': 17, None: 650, 'High': 6}
# system.Security.UserID
  - Person1:
	{None: 81, 'S-1-5-18': 413}
  - Person2:
	{None: 53, 'S-1-5-18': 451}
  - Person3:
	{None: 4459, 'S-1-5-18': 387}
  - Person4:
	{None: 341, 'S-1-5-18': 311}
  - Person5:
	{None: 712, 'S-1-5-18': 1022}
  - Person6:
	{None: 47, 'S-1-5-18': 671}
# event_data.QueryStatus
  - Person1:
	{'9002': 0, '9501': 1, '9852': 1, '123': 19, '1460': 1, '9701': 3, None: 371, '0': 98, '9003': 0}
  - Person2:
	{'9002': 0, '9501': 0, '9852': 0, '123': 11, '1460': 0, '9701': 0, None: 366, '0': 126, '9003': 1}
  - Person3:
	{'9002': 0, '9501': 0, '9852': 0, '123': 14, '1460': 0, '9701': 0, None: 4747, '0': 85, '9003': 0}
  - Person4:
	{'9002': 0, '9501': 0, '9852': 0, '123': 1, '1460': 0, '9701': 6, None: 509, '0': 134, '9003': 2}
  - Person5:
	{'9002': 0, '9501': 0, '9852': 0, '123': 17, '1460': 0, '9701': 0, None: 1643, '0': 71, '9003': 3}
  - Person6:
	{'9002': 1, '9501': 0, '9852': 0, '123': 14, '1460': 0, '9701': 0, None: 263, '0': 433, '9003': 7}
# event_data.AlgorithmName
  - Person1:
	{None: 0, 'RSA': 0, 'UNKNOWN': 0}
  - Person2:
	{None: 0, 'RSA': 0, 'UNKNOWN': 0}
  - Person3:
	{None: 0, 'RSA': 0, 'UNKNOWN': 0}
  - Person4:
	{None: 650, 'RSA': 1, 'UNKNOWN': 1}
  - Person5:
	{None: 1730, 'RSA': 2, 'UNKNOWN': 2}
  - Person6:
	{None: 0, 'RSA': 0, 'UNKNOWN': 0}
# event_data.KeyType
  - Person1:
	{None: 0, '%%2500': 0}
  - Person2:
	{None: 0, '%%2500': 0}
  - Person3:
	{None: 0, '%%2500': 0}
  - Person4:
	{None: 650, '%%2500': 2}
  - Person5:
	{None: 1730, '%%2500': 4}
  - Person6:
	{None: 0, '%%2500': 0}
# event_data.ImpersonationLevel
  - Person1:
	{None: 466, '%%1833': 28}
  - Person2:
	{None: 488, '%%1833': 16}
  - Person3:
	{None: 4816, '%%1833': 30}
  - Person4:
	{None: 625, '%%1833': 27}
  - Person5:
	{None: 1694, '%%1833': 40}
  - Person6:
	{None: 707, '%%1833': 11}
# event_data.DestinationHostname
  - Person1:
	{None: 0, 'dsnspc172.cs.nctu.edu.tw': 0, 'DESKTOP-P84STH6': 0}
  - Person2:
	{None: 0, 'dsnspc172.cs.nctu.edu.tw': 0, 'DESKTOP-P84STH6': 0}
  - Person3:
	{None: 0, 'dsnspc172.cs.nctu.edu.tw': 0, 'DESKTOP-P84STH6': 0}
  - Person4:
	{None: 0, 'dsnspc172.cs.nctu.edu.tw': 0, 'DESKTOP-P84STH6': 0}
  - Person5:
	{None: 1627, 'dsnspc172.cs.nctu.edu.tw': 1, 'DESKTOP-P84STH6': 106}
  - Person6:
	{None: 0, 'dsnspc172.cs.nctu.edu.tw': 0, 'DESKTOP-P84STH6': 0}
# event_data.SubjectUserSid
  - Person1:
	{'S-1-5-19': 1, 'S-1-5-21-223836497-1760142647-788189203-1001': 19, 'S-1-5-18': 59, None: 415, 'S-1-5-90-0-1': 0}
  - Person2:
	{'S-1-5-19': 0, 'S-1-5-21-223836497-1760142647-788189203-1001': 18, 'S-1-5-18': 35, None: 451, 'S-1-5-90-0-1': 0}
  - Person3:
	{'S-1-5-19': 0, 'S-1-5-21-223836497-1760142647-788189203-1001': 12, 'S-1-5-18': 4447, None: 387, 'S-1-5-90-0-1': 0}
  - Person4:
	{'S-1-5-19': 0, 'S-1-5-21-223836497-1760142647-788189203-1001': 20, 'S-1-5-18': 61, None: 562, 'S-1-5-90-0-1': 9}
  - Person5:
	{'S-1-5-19': 22, 'S-1-5-21-223836497-1760142647-788189203-1001': 555, 'S-1-5-18': 135, None: 1022, 'S-1-5-90-0-1': 0}
  - Person6:
	{'S-1-5-19': 1, 'S-1-5-21-223836497-1760142647-788189203-1001': 14, 'S-1-5-18': 32, None: 671, 'S-1-5-90-0-1': 0}
# event_data.Initiated
  - Person1:
	{None: 0, 'true': 0, 'false': 0}
  - Person2:
	{None: 0, 'true': 0, 'false': 0}
  - Person3:
	{None: 0, 'true': 0, 'false': 0}
  - Person4:
	{None: 0, 'true': 0, 'false': 0}
  - Person5:
	{None: 1591, 'true': 90, 'false': 53}
  - Person6:
	{None: 0, 'true': 0, 'false': 0}
# event_data.DestinationIsIpv6
  - Person1:
	{None: 0, 'true': 0, 'false': 0}
  - Person2:
	{None: 0, 'true': 0, 'false': 0}
  - Person3:
	{None: 0, 'true': 0, 'false': 0}
  - Person4:
	{None: 0, 'true': 0, 'false': 0}
  - Person5:
	{None: 1591, 'true': 106, 'false': 37}
  - Person6:
	{None: 0, 'true': 0, 'false': 0}
# event_data.StartFunction
  - Person1:
	{None: 0}
  - Person2:
	{None: 504}
  - Person3:
	{None: 0}
  - Person4:
	{None: 652}
  - Person5:
	{None: 0}
  - Person6:
	{None: 0}
# event_data.LogonType
  - Person1:
	{None: 463, '5': 26, '2': 5}
  - Person2:
	{None: 487, '5': 16, '2': 1}
  - Person3:
	{None: 4815, '5': 30, '2': 1}
  - Person4:
	{None: 623, '5': 25, '2': 4}
  - Person5:
	{None: 1691, '5': 40, '2': 3}
  - Person6:
	{None: 707, '5': 11, '2': 0}
# event_data.Operation
  - Person1:
	{None: 0, '%%2458': 0, '%%2480': 0}
  - Person2:
	{None: 0, '%%2458': 0, '%%2480': 0}
  - Person3:
	{None: 0, '%%2458': 0, '%%2480': 0}
  - Person4:
	{None: 650, '%%2458': 1, '%%2480': 1}
  - Person5:
	{None: 1730, '%%2458': 2, '%%2480': 2}
  - Person6:
	{None: 0, '%%2458': 0, '%%2480': 0}
# event_data.ReadOperation
  - Person1:
	{None: 488, '%%8100': 6, '%%8099': 0}
  - Person2:
	{None: 488, '%%8100': 16, '%%8099': 0}
  - Person3:
	{None: 4840, '%%8100': 6, '%%8099': 0}
  - Person4:
	{None: 626, '%%8100': 25, '%%8099': 1}
  - Person5:
	{None: 1369, '%%8100': 88, '%%8099': 277}
  - Person6:
	{None: 695, '%%8100': 23, '%%8099': 0}
# system.Correlation.ActivityID
  - Person1:
	{'{9e1903ff-2cdb-0000-0b05-199edb2cd601}': 77, '{e0e75f9b-2cda-0001-ec5f-e7e0da2cd601}': 0, '{46ce64eb-2cda-0001-3665-ce46da2cd601}': 0, '{3591cc69-2cda-0001-b1cc-9135da2cd601}': 0, None: 417, '{a21559d7-2cda-0001-275a-15a2da2cd601}': 0, '{7eccaef9-2cd8-0000-01b0-cc7ed82cd601}': 0}
  - Person2:
	{'{9e1903ff-2cdb-0000-0b05-199edb2cd601}': 0, '{e0e75f9b-2cda-0001-ec5f-e7e0da2cd601}': 0, '{46ce64eb-2cda-0001-3665-ce46da2cd601}': 0, '{3591cc69-2cda-0001-b1cc-9135da2cd601}': 53, None: 451, '{a21559d7-2cda-0001-275a-15a2da2cd601}': 0, '{7eccaef9-2cd8-0000-01b0-cc7ed82cd601}': 0}
  - Person3:
	{'{9e1903ff-2cdb-0000-0b05-199edb2cd601}': 0, '{e0e75f9b-2cda-0001-ec5f-e7e0da2cd601}': 0, '{46ce64eb-2cda-0001-3665-ce46da2cd601}': 85, '{3591cc69-2cda-0001-b1cc-9135da2cd601}': 0, None: 4761, '{a21559d7-2cda-0001-275a-15a2da2cd601}': 0, '{7eccaef9-2cd8-0000-01b0-cc7ed82cd601}': 0}
  - Person4:
	{'{9e1903ff-2cdb-0000-0b05-199edb2cd601}': 0, '{e0e75f9b-2cda-0001-ec5f-e7e0da2cd601}': 0, '{46ce64eb-2cda-0001-3665-ce46da2cd601}': 0, '{3591cc69-2cda-0001-b1cc-9135da2cd601}': 0, None: 562, '{a21559d7-2cda-0001-275a-15a2da2cd601}': 90, '{7eccaef9-2cd8-0000-01b0-cc7ed82cd601}': 0}
  - Person5:
	{'{9e1903ff-2cdb-0000-0b05-199edb2cd601}': 0, '{e0e75f9b-2cda-0001-ec5f-e7e0da2cd601}': 705, '{46ce64eb-2cda-0001-3665-ce46da2cd601}': 0, '{3591cc69-2cda-0001-b1cc-9135da2cd601}': 0, None: 1029, '{a21559d7-2cda-0001-275a-15a2da2cd601}': 0, '{7eccaef9-2cd8-0000-01b0-cc7ed82cd601}': 0}
  - Person6:
	{'{9e1903ff-2cdb-0000-0b05-199edb2cd601}': 0, '{e0e75f9b-2cda-0001-ec5f-e7e0da2cd601}': 0, '{46ce64eb-2cda-0001-3665-ce46da2cd601}': 0, '{3591cc69-2cda-0001-b1cc-9135da2cd601}': 0, None: 673, '{a21559d7-2cda-0001-275a-15a2da2cd601}': 0, '{7eccaef9-2cd8-0000-01b0-cc7ed82cd601}': 45}
# event_data.WorkstationName
  - Person1:
	{None: 465, '-': 26, 'DESKTOP-P84STH6': 3}
  - Person2:
	{None: 487, '-': 16, 'DESKTOP-P84STH6': 1}
  - Person3:
	{None: 4815, '-': 30, 'DESKTOP-P84STH6': 1}
  - Person4:
	{None: 625, '-': 27, 'DESKTOP-P84STH6': 0}
  - Person5:
	{None: 1691, '-': 40, 'DESKTOP-P84STH6': 3}
  - Person6:
	{None: 707, '-': 11, 'DESKTOP-P84STH6': 0}
# event_data.SourceIp
  - Person1:
	{None: 0, '10.0.2.15': 0, '0:0:0:0:0:0:0:1': 0}
  - Person2:
	{None: 0, '10.0.2.15': 0, '0:0:0:0:0:0:0:1': 0}
  - Person3:
	{None: 0, '10.0.2.15': 0, '0:0:0:0:0:0:0:1': 0}
  - Person4:
	{None: 0, '10.0.2.15': 0, '0:0:0:0:0:0:0:1': 0}
  - Person5:
	{None: 1591, '10.0.2.15': 37, '0:0:0:0:0:0:0:1': 106}
  - Person6:
	{None: 0, '10.0.2.15': 0, '0:0:0:0:0:0:0:1': 0}
# event_data.TargetLogonId
  - Person1:
	{'0x57796e': 2, '0x3e7': 26, '0x413b56': 0, '0xc5b0': 0, None: 464, '0xc57e': 0, '0x57794c': 2, '0x413b3b': 0}
  - Person2:
	{'0x57796e': 0, '0x3e7': 16, '0x413b56': 0, '0xc5b0': 0, None: 488, '0xc57e': 0, '0x57794c': 0, '0x413b3b': 0}
  - Person3:
	{'0x57796e': 0, '0x3e7': 30, '0x413b56': 0, '0xc5b0': 0, None: 4816, '0xc57e': 0, '0x57794c': 0, '0x413b3b': 0}
  - Person4:
	{'0x57796e': 0, '0x3e7': 25, '0x413b56': 1, '0xc5b0': 1, None: 623, '0xc57e': 1, '0x57794c': 0, '0x413b3b': 1}
  - Person5:
	{'0x57796e': 0, '0x3e7': 40, '0x413b56': 0, '0xc5b0': 0, None: 1694, '0xc57e': 0, '0x57794c': 0, '0x413b3b': 0}
  - Person6:
	{'0x57796e': 0, '0x3e7': 11, '0x413b56': 0, '0xc5b0': 0, None: 707, '0xc57e': 0, '0x57794c': 0, '0x413b3b': 0}
# system.Keywords
  - Person1:
	{'0x8010000000000000': 1, '0x8000000000000000': 413, '0x8020000000000000': 80}
  - Person2:
	{'0x8010000000000000': 1, '0x8000000000000000': 451, '0x8020000000000000': 52}
  - Person3:
	{'0x8010000000000000': 1, '0x8000000000000000': 387, '0x8020000000000000': 4458}
  - Person4:
	{'0x8010000000000000': 249, '0x8000000000000000': 311, '0x8020000000000000': 92}
  - Person5:
	{'0x8010000000000000': 3, '0x8000000000000000': 1022, '0x8020000000000000': 709}
  - Person6:
	{'0x8010000000000000': 0, '0x8000000000000000': 671, '0x8020000000000000': 47}
# event_data.LogonProcessName
  - Person1:
	{None: 465, 'Advapi  ': 0, 'User32\n\t\t\t': 2, 'Advapi\n\t\t\t': 27}
  - Person2:
	{None: 487, 'Advapi  ': 0, 'User32\n\t\t\t': 0, 'Advapi\n\t\t\t': 17}
  - Person3:
	{None: 4815, 'Advapi  ': 31, 'User32\n\t\t\t': 0, 'Advapi\n\t\t\t': 0}
  - Person4:
	{None: 625, 'Advapi  ': 0, 'User32\n\t\t\t': 0, 'Advapi\n\t\t\t': 27}
  - Person5:
	{None: 1691, 'Advapi  ': 43, 'User32\n\t\t\t': 0, 'Advapi\n\t\t\t': 0}
  - Person6:
	{None: 707, 'Advapi  ': 11, 'User32\n\t\t\t': 0, 'Advapi\n\t\t\t': 0}
# event_data.ReturnCode
  - Person1:
	{None: 488, '0': 2, '3221226021': 4, '0x0': 0}
  - Person2:
	{None: 488, '0': 3, '3221226021': 13, '0x0': 0}
  - Person3:
	{None: 4840, '0': 2, '3221226021': 4, '0x0': 0}
  - Person4:
	{None: 624, '0': 4, '3221226021': 22, '0x0': 2}
  - Person5:
	{None: 1365, '0': 16, '3221226021': 349, '0x0': 4}
  - Person6:
	{None: 695, '0': 4, '3221226021': 19, '0x0': 0}
# event_data.TargetSid
  - Person1:
	{'S-1-5-21-223836497-1760142647-788189203-501': 4, 'S-1-5-21-223836497-1760142647-788189203-1001': 5, 'S-1-5-32-544': 0, None: 485, 'S-1-5-32-551': 0}
  - Person2:
	{'S-1-5-21-223836497-1760142647-788189203-501': 0, 'S-1-5-21-223836497-1760142647-788189203-1001': 4, 'S-1-5-32-544': 0, None: 500, 'S-1-5-32-551': 0}
  - Person3:
	{'S-1-5-21-223836497-1760142647-788189203-501': 4, 'S-1-5-21-223836497-1760142647-788189203-1001': 3, 'S-1-5-32-544': 5, None: 4829, 'S-1-5-32-551': 5}
  - Person4:
	{'S-1-5-21-223836497-1760142647-788189203-501': 4, 'S-1-5-21-223836497-1760142647-788189203-1001': 2, 'S-1-5-32-544': 0, None: 646, 'S-1-5-32-551': 0}
  - Person5:
	{'S-1-5-21-223836497-1760142647-788189203-501': 4, 'S-1-5-21-223836497-1760142647-788189203-1001': 8, 'S-1-5-32-544': 8, None: 1706, 'S-1-5-32-551': 8}
  - Person6:
	{'S-1-5-21-223836497-1760142647-788189203-501': 0, 'S-1-5-21-223836497-1760142647-788189203-1001': 0, 'S-1-5-32-544': 0, None: 0, 'S-1-5-32-551': 0}
# event_data.IpPort
  - Person1:
	{None: 464, '-': 27, '0': 3}
  - Person2:
	{None: 487, '-': 17, '0': 0}
  - Person3:
	{None: 4815, '-': 31, '0': 0}
  - Person4:
	{None: 624, '-': 28, '0': 0}
  - Person5:
	{None: 1691, '-': 43, '0': 0}
  - Person6:
	{None: 707, '-': 11, '0': 0}
# event_data.LmPackageName
  - Person1:
	{None: 465, '-': 29}
  - Person2:
	{None: 487, '-': 17}
  - Person3:
	{None: 4815, '-': 31}
  - Person4:
	{None: 625, '-': 27}
  - Person5:
	{None: 1691, '-': 43}
  - Person6:
	{None: 707, '-': 11}
# event_data.Workstation
  - Person1:
	{None: 489, 'DESKTOP-P84STH6': 5}
  - Person2:
	{None: 0, 'DESKTOP-P84STH6': 0}
  - Person3:
	{None: 4845, 'DESKTOP-P84STH6': 1}
  - Person4:
	{None: 651, 'DESKTOP-P84STH6': 1}
  - Person5:
	{None: 1509, 'DESKTOP-P84STH6': 225}
  - Person6:
	{None: 0, 'DESKTOP-P84STH6': 0}
# event_data.TerminalSessionId
  - Person1:
	{None: 383, '0': 68, '1': 43}
  - Person2:
	{None: 328, '0': 24, '1': 152}
  - Person3:
	{None: 4774, '0': 37, '1': 35}
  - Person4:
	{None: 585, '0': 22, '1': 45}
  - Person5:
	{None: 1581, '0': 78, '1': 75}
  - Person6:
	{None: 650, '0': 45, '1': 23}
# event_data.SourceProcessId
  - Person1:
	{'7972': 0, '7788': 0, '392': 0, '6556': 0, '1076': 0, '6804': 0, '2720': 0, '7336': 0, '2356': 0, None: 0, '6868': 0, '5040': 0, '1020': 0}
  - Person2:
	{'7972': 0, '7788': 0, '392': 0, '6556': 4, '1076': 0, '6804': 0, '2720': 0, '7336': 0, '2356': 0, None: 500, '6868': 0, '5040': 0, '1020': 0}
  - Person3:
	{'7972': 0, '7788': 0, '392': 0, '6556': 0, '1076': 0, '6804': 0, '2720': 0, '7336': 0, '2356': 0, None: 0, '6868': 0, '5040': 0, '1020': 0}
  - Person4:
	{'7972': 2, '7788': 2, '392': 1, '6556': 0, '1076': 2, '6804': 2, '2720': 2, '7336': 2, '2356': 2, None: 620, '6868': 13, '5040': 2, '1020': 2}
  - Person5:
	{'7972': 0, '7788': 0, '392': 0, '6556': 0, '1076': 0, '6804': 0, '2720': 0, '7336': 0, '2356': 0, None: 0, '6868': 0, '5040': 0, '1020': 0}
  - Person6:
	{'7972': 0, '7788': 0, '392': 0, '6556': 0, '1076': 0, '6804': 0, '2720': 0, '7336': 0, '2356': 0, None: 0, '6868': 0, '5040': 0, '1020': 0}
# event_data.StartAddress
  - Person1:
	{None: 0, '0xFFFFA70BEBC32460': 0, '0xFFFFF661C9312460': 0}
  - Person2:
	{None: 500, '0xFFFFA70BEBC32460': 4, '0xFFFFF661C9312460': 0}
  - Person3:
	{None: 0, '0xFFFFA70BEBC32460': 0, '0xFFFFF661C9312460': 0}
  - Person4:
	{None: 620, '0xFFFFA70BEBC32460': 0, '0xFFFFF661C9312460': 32}
  - Person5:
	{None: 0, '0xFFFFA70BEBC32460': 0, '0xFFFFF661C9312460': 0}
  - Person6:
	{None: 0, '0xFFFFA70BEBC32460': 0, '0xFFFFF661C9312460': 0}
# event_data.User
  - Person1:
	{'Window Manager\\DWM-1': 0, 'NT AUTHORITY\\SYSTEM': 59, 'NT AUTHORITY\\LOCAL SERVICE': 5, 'DESKTOP-P84STH6\\NS': 42, None: 383, 'NT AUTHORITY\\NETWORK SERVICE': 5}
  - Person2:
	{'Window Manager\\DWM-1': 0, 'NT AUTHORITY\\SYSTEM': 21, 'NT AUTHORITY\\LOCAL SERVICE': 1, 'DESKTOP-P84STH6\\NS': 152, None: 328, 'NT AUTHORITY\\NETWORK SERVICE': 2}
  - Person3:
	{'Window Manager\\DWM-1': 0, 'NT AUTHORITY\\SYSTEM': 38, 'NT AUTHORITY\\LOCAL SERVICE': 2, 'DESKTOP-P84STH6\\NS': 30, None: 4774, 'NT AUTHORITY\\NETWORK SERVICE': 2}
  - Person4:
	{'Window Manager\\DWM-1': 2, 'NT AUTHORITY\\SYSTEM': 22, 'NT AUTHORITY\\LOCAL SERVICE': 0, 'DESKTOP-P84STH6\\NS': 43, None: 585, 'NT AUTHORITY\\NETWORK SERVICE': 0}
  - Person5:
	{'Window Manager\\DWM-1': 0, 'NT AUTHORITY\\SYSTEM': 71, 'NT AUTHORITY\\LOCAL SERVICE': 7, 'DESKTOP-P84STH6\\NS': 215, None: 1438, 'NT AUTHORITY\\NETWORK SERVICE': 3}
  - Person6:
	{'Window Manager\\DWM-1': 0, 'NT AUTHORITY\\SYSTEM': 41, 'NT AUTHORITY\\LOCAL SERVICE': 3, 'DESKTOP-P84STH6\\NS': 23, None: 650, 'NT AUTHORITY\\NETWORK SERVICE': 1}
# event_data.KeyName
  - Person1:
	{None: 0, '14fdd55a-cbd4-a213-2535-71ef6ddf0b5e': 0}
  - Person2:
	{None: 0, '14fdd55a-cbd4-a213-2535-71ef6ddf0b5e': 0}
  - Person3:
	{None: 0, '14fdd55a-cbd4-a213-2535-71ef6ddf0b5e': 0}
  - Person4:
	{None: 650, '14fdd55a-cbd4-a213-2535-71ef6ddf0b5e': 2}
  - Person5:
	{None: 1730, '14fdd55a-cbd4-a213-2535-71ef6ddf0b5e': 4}
  - Person6:
	{None: 0, '14fdd55a-cbd4-a213-2535-71ef6ddf0b5e': 0}
# event_data.ElevatedToken
  - Person1:
	{None: 466, '%%1842': 27, '%%1843': 1}
  - Person2:
	{None: 488, '%%1842': 16, '%%1843': 0}
  - Person3:
	{None: 4816, '%%1842': 30, '%%1843': 0}
  - Person4:
	{None: 625, '%%1842': 26, '%%1843': 1}
  - Person5:
	{None: 1694, '%%1842': 40, '%%1843': 0}
  - Person6:
	{None: 707, '%%1842': 11, '%%1843': 0}
# event_data.SourceProcessGuid
  - Person1:
	{'{5d3d98af-2c07-5ec2-0000-0010bd8e4300}': 0, '{5d3d98af-2c04-5ec2-0000-00101e294300}': 0, '{5d3d98af-2b7e-5ec2-0000-0010945e3c00}': 0, '{5d3d98af-25af-5ec2-0000-0010242e0900}': 0, '{5d3d98af-2988-5ec2-0000-0010a3a73000}': 0, '{5d3d98af-2b99-5ec2-0000-0010af0f3e00}': 0, '{5d3d98af-2994-5ec2-0000-0010df243100}': 0, '{5d3d98af-2b83-5ec2-0000-001037d23c00}': 0, '{5d3d98af-2bf6-5ec2-0000-0010d7e44100}': 0, '{5d3d98af-2b76-5ec2-0000-00102bdf3b00}': 0, None: 0, '{5d3d98af-264b-5ec2-0000-00107e200800}': 0, '{5d3d98af-2c22-5ec2-0000-0010ea194400}': 0}
  - Person2:
	{'{5d3d98af-2c07-5ec2-0000-0010bd8e4300}': 0, '{5d3d98af-2c04-5ec2-0000-00101e294300}': 0, '{5d3d98af-2b7e-5ec2-0000-0010945e3c00}': 0, '{5d3d98af-25af-5ec2-0000-0010242e0900}': 4, '{5d3d98af-2988-5ec2-0000-0010a3a73000}': 0, '{5d3d98af-2b99-5ec2-0000-0010af0f3e00}': 0, '{5d3d98af-2994-5ec2-0000-0010df243100}': 0, '{5d3d98af-2b83-5ec2-0000-001037d23c00}': 0, '{5d3d98af-2bf6-5ec2-0000-0010d7e44100}': 0, '{5d3d98af-2b76-5ec2-0000-00102bdf3b00}': 0, None: 500, '{5d3d98af-264b-5ec2-0000-00107e200800}': 0, '{5d3d98af-2c22-5ec2-0000-0010ea194400}': 0}
  - Person3:
	{'{5d3d98af-2c07-5ec2-0000-0010bd8e4300}': 0, '{5d3d98af-2c04-5ec2-0000-00101e294300}': 0, '{5d3d98af-2b7e-5ec2-0000-0010945e3c00}': 0, '{5d3d98af-25af-5ec2-0000-0010242e0900}': 0, '{5d3d98af-2988-5ec2-0000-0010a3a73000}': 0, '{5d3d98af-2b99-5ec2-0000-0010af0f3e00}': 0, '{5d3d98af-2994-5ec2-0000-0010df243100}': 0, '{5d3d98af-2b83-5ec2-0000-001037d23c00}': 0, '{5d3d98af-2bf6-5ec2-0000-0010d7e44100}': 0, '{5d3d98af-2b76-5ec2-0000-00102bdf3b00}': 0, None: 0, '{5d3d98af-264b-5ec2-0000-00107e200800}': 0, '{5d3d98af-2c22-5ec2-0000-0010ea194400}': 0}
  - Person4:
	{'{5d3d98af-2c07-5ec2-0000-0010bd8e4300}': 2, '{5d3d98af-2c04-5ec2-0000-00101e294300}': 2, '{5d3d98af-2b7e-5ec2-0000-0010945e3c00}': 2, '{5d3d98af-25af-5ec2-0000-0010242e0900}': 0, '{5d3d98af-2988-5ec2-0000-0010a3a73000}': 2, '{5d3d98af-2b99-5ec2-0000-0010af0f3e00}': 2, '{5d3d98af-2994-5ec2-0000-0010df243100}': 2, '{5d3d98af-2b83-5ec2-0000-001037d23c00}': 2, '{5d3d98af-2bf6-5ec2-0000-0010d7e44100}': 1, '{5d3d98af-2b76-5ec2-0000-00102bdf3b00}': 2, None: 620, '{5d3d98af-264b-5ec2-0000-00107e200800}': 13, '{5d3d98af-2c22-5ec2-0000-0010ea194400}': 2}
  - Person5:
	{'{5d3d98af-2c07-5ec2-0000-0010bd8e4300}': 0, '{5d3d98af-2c04-5ec2-0000-00101e294300}': 0, '{5d3d98af-2b7e-5ec2-0000-0010945e3c00}': 0, '{5d3d98af-25af-5ec2-0000-0010242e0900}': 0, '{5d3d98af-2988-5ec2-0000-0010a3a73000}': 0, '{5d3d98af-2b99-5ec2-0000-0010af0f3e00}': 0, '{5d3d98af-2994-5ec2-0000-0010df243100}': 0, '{5d3d98af-2b83-5ec2-0000-001037d23c00}': 0, '{5d3d98af-2bf6-5ec2-0000-0010d7e44100}': 0, '{5d3d98af-2b76-5ec2-0000-00102bdf3b00}': 0, None: 0, '{5d3d98af-264b-5ec2-0000-00107e200800}': 0, '{5d3d98af-2c22-5ec2-0000-0010ea194400}': 0}
  - Person6:
	{'{5d3d98af-2c07-5ec2-0000-0010bd8e4300}': 0, '{5d3d98af-2c04-5ec2-0000-00101e294300}': 0, '{5d3d98af-2b7e-5ec2-0000-0010945e3c00}': 0, '{5d3d98af-25af-5ec2-0000-0010242e0900}': 0, '{5d3d98af-2988-5ec2-0000-0010a3a73000}': 0, '{5d3d98af-2b99-5ec2-0000-0010af0f3e00}': 0, '{5d3d98af-2994-5ec2-0000-0010df243100}': 0, '{5d3d98af-2b83-5ec2-0000-001037d23c00}': 0, '{5d3d98af-2bf6-5ec2-0000-0010d7e44100}': 0, '{5d3d98af-2b76-5ec2-0000-00102bdf3b00}': 0, None: 0, '{5d3d98af-264b-5ec2-0000-00107e200800}': 0, '{5d3d98af-2c22-5ec2-0000-0010ea194400}': 0}
# event_data.EventType
  - Person1:
	{None: 416, 'SetValue': 69, 'DeleteKey': 1, 'DeleteValue': 8}
  - Person2:
	{None: 497, 'SetValue': 7, 'DeleteKey': 0, 'DeleteValue': 0}
  - Person3:
	{None: 4811, 'SetValue': 32, 'DeleteKey': 0, 'DeleteValue': 3}
  - Person4:
	{None: 613, 'SetValue': 39, 'DeleteKey': 0, 'DeleteValue': 0}
  - Person5:
	{None: 1533, 'SetValue': 198, 'DeleteKey': 0, 'DeleteValue': 3}
  - Person6:
	{None: 713, 'SetValue': 5, 'DeleteKey': 0, 'DeleteValue': 0}
# event_data.param1
  - Person1:
	{None: 0, '\\Device\\HarddiskVolume2\\Windows\\System32\\VBoxDispD3D.dll': 0}
  - Person2:
	{None: 0, '\\Device\\HarddiskVolume2\\Windows\\System32\\VBoxDispD3D.dll': 0}
  - Person3:
	{None: 0, '\\Device\\HarddiskVolume2\\Windows\\System32\\VBoxDispD3D.dll': 0}
  - Person4:
	{None: 403, '\\Device\\HarddiskVolume2\\Windows\\System32\\VBoxDispD3D.dll': 249}
  - Person5:
	{None: 0, '\\Device\\HarddiskVolume2\\Windows\\System32\\VBoxDispD3D.dll': 0}
  - Person6:
	{None: 0, '\\Device\\HarddiskVolume2\\Windows\\System32\\VBoxDispD3D.dll': 0}
# event_data.TargetProcessGuid
  - Person1:
	{None: 0, '{5d3d98af-2633-5ec2-0000-001082560000}': 0, '{5d3d98af-2583-5ec2-0000-001006560000}': 0}
  - Person2:
	{None: 500, '{5d3d98af-2633-5ec2-0000-001082560000}': 0, '{5d3d98af-2583-5ec2-0000-001006560000}': 4}
  - Person3:
	{None: 0, '{5d3d98af-2633-5ec2-0000-001082560000}': 0, '{5d3d98af-2583-5ec2-0000-001006560000}': 0}
  - Person4:
	{None: 620, '{5d3d98af-2633-5ec2-0000-001082560000}': 32, '{5d3d98af-2583-5ec2-0000-001006560000}': 0}
  - Person5:
	{None: 0, '{5d3d98af-2633-5ec2-0000-001082560000}': 0, '{5d3d98af-2583-5ec2-0000-001006560000}': 0}
  - Person6:
	{None: 0, '{5d3d98af-2633-5ec2-0000-001082560000}': 0, '{5d3d98af-2583-5ec2-0000-001006560000}': 0}
# event_data.AuthenticationPackageName
  - Person1:
	{None: 465, 'Negotiate': 29}
  - Person2:
	{None: 487, 'Negotiate': 17}
  - Person3:
	{None: 4815, 'Negotiate': 31}
  - Person4:
	{None: 625, 'Negotiate': 27}
  - Person5:
	{None: 1691, 'Negotiate': 43}
  - Person6:
	{None: 707, 'Negotiate': 11}
# event_data.KeyLength
  - Person1:
	{None: 465, '0': 29}
  - Person2:
	{None: 487, '0': 17}
  - Person3:
	{None: 4815, '0': 31}
  - Person4:
	{None: 625, '0': 27}
  - Person5:
	{None: 1691, '0': 43}
  - Person6:
	{None: 707, '0': 11}
# system.Version
  - Person1:
	{'5': 234, '3': 0, '4': 0, '2': 207, '1': 1, '0': 52}
  - Person2:
	{'5': 314, '3': 19, '4': 0, '2': 134, '1': 0, '0': 37}
  - Person3:
	{'5': 171, '3': 1, '4': 0, '2': 245, '1': 0, '0': 4429}
  - Person4:
	{'5': 210, '3': 9, '4': 0, '2': 119, '1': 1, '0': 313}
  - Person5:
	{'5': 387, '3': 16, '4': 43, '2': 616, '1': 2, '0': 670}
  - Person6:
	{'5': 523, '3': 2, '4': 0, '2': 157, '1': 1, '0': 35}
# event_data.IpAddress
  - Person1:
	{None: 464, '-': 27, '127.0.0.1': 3}
  - Person2:
	{None: 487, '-': 17, '127.0.0.1': 0}
  - Person3:
	{None: 4815, '-': 31, '127.0.0.1': 0}
  - Person4:
	{None: 624, '-': 28, '127.0.0.1': 0}
  - Person5:
	{None: 1691, '-': 43, '127.0.0.1': 0}
  - Person6:
	{None: 707, '-': 11, '127.0.0.1': 0}
# event_data.Company
  - Person1:
	{'Bloodshed Software': 0, 'Google LLC': 2, 'Microsoft Corporation': 88, 'The Document Foundation': 10, '?': 1, 'Microsoft Corp.': 2, 'The Wireshark developer community': 5, 'Google': 0, None: 383, 'Microsoft Corporation                                       ': 0, 'Python Software Foundation': 0, 'Adobe': 2, 'The Wireshark developer community, https://www.wireshark.org/': 1}
  - Person2:
	{'Bloodshed Software': 1, 'Google LLC': 2, 'Microsoft Corporation': 45, 'The Document Foundation': 0, '?': 121, 'Microsoft Corp.': 2, 'The Wireshark developer community': 1, 'Google': 4, None: 328, 'Microsoft Corporation                                       ': 0, 'Python Software Foundation': 0, 'Adobe': 0, 'The Wireshark developer community, https://www.wireshark.org/': 0}
  - Person3:
	{'Bloodshed Software': 0, 'Google LLC': 3, 'Microsoft Corporation': 63, 'The Document Foundation': 0, '?': 0, 'Microsoft Corp.': 1, 'The Wireshark developer community': 1, 'Google': 0, None: 4778, 'Microsoft Corporation                                       ': 0, 'Python Software Foundation': 0, 'Adobe': 0, 'The Wireshark developer community, https://www.wireshark.org/': 0}
  - Person4:
	{'Bloodshed Software': 0, 'Google LLC': 0, 'Microsoft Corporation': 41, 'The Document Foundation': 0, '?': 15, 'Microsoft Corp.': 0, 'The Wireshark developer community': 1, 'Google': 0, None: 593, 'Microsoft Corporation                                       ': 0, 'Python Software Foundation': 0, 'Adobe': 2, 'The Wireshark developer community, https://www.wireshark.org/': 0}
  - Person5:
	{'Bloodshed Software': 0, 'Google LLC': 6, 'Microsoft Corporation': 124, 'The Document Foundation': 0, '?': 5, 'Microsoft Corp.': 4, 'The Wireshark developer community': 1, 'Google': 0, None: 1581, 'Microsoft Corporation                                       ': 2, 'Python Software Foundation': 11, 'Adobe': 0, 'The Wireshark developer community, https://www.wireshark.org/': 0}
  - Person6:
	{'Bloodshed Software': 0, 'Google LLC': 2, 'Microsoft Corporation': 53, 'The Document Foundation': 0, '?': 1, 'Microsoft Corp.': 2, 'The Wireshark developer community': 5, 'Google': 0, None: 654, 'Microsoft Corporation                                       ': 0, 'Python Software Foundation': 0, 'Adobe': 0, 'The Wireshark developer community, https://www.wireshark.org/': 1}
# event_data.TargetOutboundUserName
  - Person1:
	{None: 466, '-': 28}
  - Person2:
	{None: 488, '-': 16}
  - Person3:
	{None: 4816, '-': 30}
  - Person4:
	{None: 625, '-': 27}
  - Person5:
	{None: 1694, '-': 40}
  - Person6:
	{None: 707, '-': 11}
# event_data.ObjectServer
  - Person1:
	{None: 493, 'Security': 1}
  - Person2:
	{None: 0, 'Security': 0}
  - Person3:
	{None: 472, 'Security': 4374}
  - Person4:
	{None: 0, 'Security': 0}
  - Person5:
	{None: 1727, 'Security': 7}
  - Person6:
	{None: 717, 'Security': 1}
# event_data.Protocol
  - Person1:
	{None: 0, 'tcp': 0}
  - Person2:
	{None: 0, 'tcp': 0}
  - Person3:
	{None: 0, 'tcp': 0}
  - Person4:
	{None: 0, 'tcp': 0}
  - Person5:
	{None: 1591, 'tcp': 143}
  - Person6:
	{None: 0, 'tcp': 0}
# event_data.TargetOutboundDomainName
  - Person1:
	{None: 466, '-': 28}
  - Person2:
	{None: 488, '-': 16}
  - Person3:
	{None: 4816, '-': 30}
  - Person4:
	{None: 625, '-': 27}
  - Person5:
	{None: 1694, '-': 40}
  - Person6:
	{None: 707, '-': 11}
# event_data.SubjectDomainName
  - Person1:
	{'Window Manager': 0, 'DESKTOP-P84STH6': 19, None: 415, 'NT AUTHORITY': 27, 'WORKGROUP': 33}
  - Person2:
	{'Window Manager': 0, 'DESKTOP-P84STH6': 18, None: 451, 'NT AUTHORITY': 16, 'WORKGROUP': 19}
  - Person3:
	{'Window Manager': 0, 'DESKTOP-P84STH6': 12, None: 387, 'NT AUTHORITY': 30, 'WORKGROUP': 4417}
  - Person4:
	{'Window Manager': 9, 'DESKTOP-P84STH6': 20, None: 562, 'NT AUTHORITY': 25, 'WORKGROUP': 36}
  - Person5:
	{'Window Manager': 0, 'DESKTOP-P84STH6': 555, None: 1022, 'NT AUTHORITY': 62, 'WORKGROUP': 95}
  - Person6:
	{'Window Manager': 0, 'DESKTOP-P84STH6': 14, None: 671, 'NT AUTHORITY': 12, 'WORKGROUP': 21}
# event_data.ProcessName
  - Person1:
	{'C:\\Windows\\System32\\svchost.exe': 4, 'C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\\TiWorker.exe': 0, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 1, 'C:\\Windows\\System32\\taskhostw.exe': 1, 'C:\\Windows\\System32\\winlogon.exe': 0, None: 462, 'C:\\Windows\\System32\\services.exe': 26}
  - Person2:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\\TiWorker.exe': 0, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 1, 'C:\\Windows\\System32\\taskhostw.exe': 0, 'C:\\Windows\\System32\\winlogon.exe': 0, None: 487, 'C:\\Windows\\System32\\services.exe': 16}
  - Person3:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\\TiWorker.exe': 4374, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 1, 'C:\\Windows\\System32\\taskhostw.exe': 0, 'C:\\Windows\\System32\\winlogon.exe': 0, None: 441, 'C:\\Windows\\System32\\services.exe': 30}
  - Person4:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\\TiWorker.exe': 0, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 0, 'C:\\Windows\\System32\\taskhostw.exe': 0, 'C:\\Windows\\System32\\winlogon.exe': 3, None: 624, 'C:\\Windows\\System32\\services.exe': 25}
  - Person5:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\\TiWorker.exe': 6, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 3, 'C:\\Windows\\System32\\taskhostw.exe': 1, 'C:\\Windows\\System32\\winlogon.exe': 0, None: 1684, 'C:\\Windows\\System32\\services.exe': 40}
  - Person6:
	{'C:\\Windows\\System32\\svchost.exe': 1, 'C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.411_none_5f53d2d858cf8961\\TiWorker.exe': 0, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 0, 'C:\\Windows\\System32\\taskhostw.exe': 1, 'C:\\Windows\\System32\\winlogon.exe': 0, None: 705, 'C:\\Windows\\System32\\services.exe': 11}
# event_data.ClientCreationTime
  - Person1:
	{None: 0, '2020-05-18T06:32:04.922555500Z': 0, '2020-05-18T06:22:36.725019200Z': 0}
  - Person2:
	{None: 0, '2020-05-18T06:32:04.922555500Z': 0, '2020-05-18T06:22:36.725019200Z': 0}
  - Person3:
	{None: 0, '2020-05-18T06:32:04.922555500Z': 0, '2020-05-18T06:22:36.725019200Z': 0}
  - Person4:
	{None: 651, '2020-05-18T06:32:04.922555500Z': 1, '2020-05-18T06:22:36.725019200Z': 0}
  - Person5:
	{None: 1732, '2020-05-18T06:32:04.922555500Z': 0, '2020-05-18T06:22:36.725019200Z': 2}
  - Person6:
	{None: 0, '2020-05-18T06:32:04.922555500Z': 0, '2020-05-18T06:22:36.725019200Z': 0}
# label
  - Person1:
	{'6': 0, '5': 0, '3': 0, '4': 0, '2': 0, '1': 1}
  - Person2:
	{'6': 0, '5': 0, '3': 0, '4': 0, '2': 1, '1': 0}
  - Person3:
	{'6': 0, '5': 0, '3': 1, '4': 0, '2': 0, '1': 0}
  - Person4:
	{'6': 0, '5': 0, '3': 0, '4': 1, '2': 0, '1': 0}
  - Person5:
	{'6': 0, '5': 1, '3': 0, '4': 0, '2': 0, '1': 0}
  - Person6:
	{'6': 1, '5': 0, '3': 0, '4': 0, '2': 0, '1': 0}
# event_data.NewSd
  - Person1:
	{None: 493, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)(AU;IDSAFA;0x1000000;;;WD)': 0, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)': 1, 'S:ARAI(AU;SAFA;0x1f0116;;;WD)': 0}
  - Person2:
	{None: 0, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)(AU;IDSAFA;0x1000000;;;WD)': 0, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)': 0, 'S:ARAI(AU;SAFA;0x1f0116;;;WD)': 0}
  - Person3:
	{None: 472, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)(AU;IDSAFA;0x1000000;;;WD)': 1, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)': 3675, 'S:ARAI(AU;SAFA;0x1f0116;;;WD)': 698}
  - Person4:
	{None: 0, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)(AU;IDSAFA;0x1000000;;;WD)': 0, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)': 0, 'S:ARAI(AU;SAFA;0x1f0116;;;WD)': 0}
  - Person5:
	{None: 1727, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)(AU;IDSAFA;0x1000000;;;WD)': 0, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)': 1, 'S:ARAI(AU;SAFA;0x1f0116;;;WD)': 6}
  - Person6:
	{None: 717, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)(AU;IDSAFA;0x1000000;;;WD)': 0, 'S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)': 1, 'S:ARAI(AU;SAFA;0x1f0116;;;WD)': 0}
# event_data.CountOfCredentialsReturned
  - Person1:
	{None: 488, '1': 2, '0': 4}
  - Person2:
	{None: 488, '1': 3, '0': 13}
  - Person3:
	{None: 4840, '1': 2, '0': 4}
  - Person4:
	{None: 626, '1': 5, '0': 21}
  - Person5:
	{None: 1369, '1': 293, '0': 72}
  - Person6:
	{None: 695, '1': 4, '0': 19}
# event_data.VirtualAccount
  - Person1:
	{None: 466, '%%1842': 0, '%%1843': 28}
  - Person2:
	{None: 488, '%%1842': 0, '%%1843': 16}
  - Person3:
	{None: 4816, '%%1842': 0, '%%1843': 30}
  - Person4:
	{None: 625, '%%1842': 2, '%%1843': 25}
  - Person5:
	{None: 1694, '%%1842': 0, '%%1843': 40}
  - Person6:
	{None: 707, '%%1842': 0, '%%1843': 11}
# event_data.RestrictedAdminMode
  - Person1:
	{None: 466, '-': 28}
  - Person2:
	{None: 488, '-': 16}
  - Person3:
	{None: 4816, '-': 30}
  - Person4:
	{None: 625, '-': 27}
  - Person5:
	{None: 1694, '-': 40}
  - Person6:
	{None: 707, '-': 11}
# event_data.DestinationPort
  - Person1:
	{None: 0, '8080': 0, '443': 0}
  - Person2:
	{None: 0, '8080': 0, '443': 0}
  - Person3:
	{None: 0, '8080': 0, '443': 0}
  - Person4:
	{None: 0, '8080': 0, '443': 0}
  - Person5:
	{None: 1591, '8080': 106, '443': 37}
  - Person6:
	{None: 0, '8080': 0, '443': 0}
# event_data.TargetLinkedLogonId
  - Person1:
	{'0x0': 26, '0x57796e': 1, '0x413b56': 0, None: 466, '0x57794c': 1, '0x413b3b': 0}
  - Person2:
	{'0x0': 16, '0x57796e': 0, '0x413b56': 0, None: 488, '0x57794c': 0, '0x413b3b': 0}
  - Person3:
	{'0x0': 30, '0x57796e': 0, '0x413b56': 0, None: 4816, '0x57794c': 0, '0x413b3b': 0}
  - Person4:
	{'0x0': 25, '0x57796e': 0, '0x413b56': 1, None: 625, '0x57794c': 0, '0x413b3b': 1}
  - Person5:
	{'0x0': 40, '0x57796e': 0, '0x413b56': 0, None: 1694, '0x57794c': 0, '0x413b3b': 0}
  - Person6:
	{'0x0': 11, '0x57796e': 0, '0x413b56': 0, None: 707, '0x57794c': 0, '0x413b3b': 0}
# event_data.TransmittedServices
  - Person1:
	{None: 465, '-': 29}
  - Person2:
	{None: 487, '-': 17}
  - Person3:
	{None: 4815, '-': 31}
  - Person4:
	{None: 625, '-': 27}
  - Person5:
	{None: 1691, '-': 43}
  - Person6:
	{None: 707, '-': 11}
# event_data.SubjectUserName
  - Person1:
	{'SYSTEM': 26, 'DWM-1': 0, 'DESKTOP-P84STH6$': 33, None: 415, 'NS': 19, 'LOCAL SERVICE': 1}
  - Person2:
	{'SYSTEM': 16, 'DWM-1': 0, 'DESKTOP-P84STH6$': 19, None: 451, 'NS': 18, 'LOCAL SERVICE': 0}
  - Person3:
	{'SYSTEM': 30, 'DWM-1': 0, 'DESKTOP-P84STH6$': 4417, None: 387, 'NS': 12, 'LOCAL SERVICE': 0}
  - Person4:
	{'SYSTEM': 25, 'DWM-1': 9, 'DESKTOP-P84STH6$': 36, None: 562, 'NS': 20, 'LOCAL SERVICE': 0}
  - Person5:
	{'SYSTEM': 40, 'DWM-1': 0, 'DESKTOP-P84STH6$': 95, None: 1022, 'NS': 555, 'LOCAL SERVICE': 22}
  - Person6:
	{'SYSTEM': 11, 'DWM-1': 0, 'DESKTOP-P84STH6$': 21, None: 671, 'NS': 14, 'LOCAL SERVICE': 1}
# event_data.TargetDomainName
  - Person1:
	{'Builtin': 0, 'Window Manager': 0, 'DESKTOP-P84STH6': 20, None: 448, 'NT AUTHORITY': 26}
  - Person2:
	{'Builtin': 0, 'Window Manager': 0, 'DESKTOP-P84STH6': 5, None: 483, 'NT AUTHORITY': 16}
  - Person3:
	{'Builtin': 10, 'Window Manager': 0, 'DESKTOP-P84STH6': 9, None: 4797, 'NT AUTHORITY': 30}
  - Person4:
	{'Builtin': 0, 'Window Manager': 5, 'DESKTOP-P84STH6': 7, None: 615, 'NT AUTHORITY': 25}
  - Person5:
	{'Builtin': 16, 'Window Manager': 0, 'DESKTOP-P84STH6': 240, None: 1438, 'NT AUTHORITY': 40}
  - Person6:
	{'Builtin': 0, 'Window Manager': 0, 'DESKTOP-P84STH6': 0, None: 707, 'NT AUTHORITY': 11}
# event_data.DestinationIp
  - Person1:
	{'64.4.54.254': 0, '0:0:0:0:0:0:0:1': 0, '140.113.194.88': 0, '104.42.78.153': 0, '13.75.38.7': 0, '117.18.232.200': 0, None: 0, '111.221.29.254': 0}
  - Person2:
	{'64.4.54.254': 0, '0:0:0:0:0:0:0:1': 0, '140.113.194.88': 0, '104.42.78.153': 0, '13.75.38.7': 0, '117.18.232.200': 0, None: 0, '111.221.29.254': 0}
  - Person3:
	{'64.4.54.254': 0, '0:0:0:0:0:0:0:1': 0, '140.113.194.88': 0, '104.42.78.153': 0, '13.75.38.7': 0, '117.18.232.200': 0, None: 0, '111.221.29.254': 0}
  - Person4:
	{'64.4.54.254': 0, '0:0:0:0:0:0:0:1': 0, '140.113.194.88': 0, '104.42.78.153': 0, '13.75.38.7': 0, '117.18.232.200': 0, None: 0, '111.221.29.254': 0}
  - Person5:
	{'64.4.54.254': 2, '0:0:0:0:0:0:0:1': 106, '140.113.194.88': 1, '104.42.78.153': 2, '13.75.38.7': 6, '117.18.232.200': 3, None: 1591, '111.221.29.254': 23}
  - Person6:
	{'64.4.54.254': 0, '0:0:0:0:0:0:0:1': 0, '140.113.194.88': 0, '104.42.78.153': 0, '13.75.38.7': 0, '117.18.232.200': 0, None: 0, '111.221.29.254': 0}
# event_data.SourcePortName
  - Person1:
	{None: 0}
  - Person2:
	{None: 0}
  - Person3:
	{None: 0}
  - Person4:
	{None: 0}
  - Person5:
	{None: 1734}
  - Person6:
	{None: 0}
# event_data.Type
  - Person1:
	{None: 488, '0': 6, '1': 0}
  - Person2:
	{None: 488, '0': 16, '1': 0}
  - Person3:
	{None: 4840, '0': 6, '1': 0}
  - Person4:
	{None: 626, '0': 25, '1': 1}
  - Person5:
	{None: 1369, '0': 88, '1': 277}
  - Person6:
	{None: 695, '0': 23, '1': 0}
# event_data.SourceImage
  - Person1:
	{'C:\\Users\\NS\\Desktop\\block130.exe': 0, 'C:\\Users\\NS\\Desktop\\âtâìâôâgâëâCâô\\âtâìâôâgâëâCâô.exe': 0, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 0, None: 0, 'C:\\Windows\\System32\\VBoxTray.exe': 0, 'C:\\Program Files (x86)\\CartmansAuthoritah\\SouthPark.exe': 0}
  - Person2:
	{'C:\\Users\\NS\\Desktop\\block130.exe': 0, 'C:\\Users\\NS\\Desktop\\âtâìâôâgâëâCâô\\âtâìâôâgâëâCâô.exe': 0, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 0, None: 500, 'C:\\Windows\\System32\\VBoxTray.exe': 4, 'C:\\Program Files (x86)\\CartmansAuthoritah\\SouthPark.exe': 0}
  - Person3:
	{'C:\\Users\\NS\\Desktop\\block130.exe': 0, 'C:\\Users\\NS\\Desktop\\âtâìâôâgâëâCâô\\âtâìâôâgâëâCâô.exe': 0, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 0, None: 0, 'C:\\Windows\\System32\\VBoxTray.exe': 0, 'C:\\Program Files (x86)\\CartmansAuthoritah\\SouthPark.exe': 0}
  - Person4:
	{'C:\\Users\\NS\\Desktop\\block130.exe': 4, 'C:\\Users\\NS\\Desktop\\âtâìâôâgâëâCâô\\âtâìâôâgâëâCâô.exe': 4, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 1, None: 620, 'C:\\Windows\\System32\\VBoxTray.exe': 13, 'C:\\Program Files (x86)\\CartmansAuthoritah\\SouthPark.exe': 10}
  - Person5:
	{'C:\\Users\\NS\\Desktop\\block130.exe': 0, 'C:\\Users\\NS\\Desktop\\âtâìâôâgâëâCâô\\âtâìâôâgâëâCâô.exe': 0, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 0, None: 0, 'C:\\Windows\\System32\\VBoxTray.exe': 0, 'C:\\Program Files (x86)\\CartmansAuthoritah\\SouthPark.exe': 0}
  - Person6:
	{'C:\\Users\\NS\\Desktop\\block130.exe': 0, 'C:\\Users\\NS\\Desktop\\âtâìâôâgâëâCâô\\âtâìâôâgâëâCâô.exe': 0, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 0, None: 0, 'C:\\Windows\\System32\\VBoxTray.exe': 0, 'C:\\Program Files (x86)\\CartmansAuthoritah\\SouthPark.exe': 0}
# event_data.CallerProcessName
  - Person1:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\System32\\VSSVC.exe': 0, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 1, 'C:\\Windows\\explorer.exe': 0, 'C:\\Windows\\System32\\LogonUI.exe': 1, 'C:\\Program Files (x86)\\Dev-Cpp\\devcpp.exe': 0, None: 485, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 6, 'C:\\Program Files\\LibreOffice\\program\\soffice.bin': 1}
  - Person2:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\System32\\VSSVC.exe': 0, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 2, 'C:\\Windows\\explorer.exe': 0, 'C:\\Windows\\System32\\LogonUI.exe': 0, 'C:\\Program Files (x86)\\Dev-Cpp\\devcpp.exe': 2, None: 500, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 0, 'C:\\Program Files\\LibreOffice\\program\\soffice.bin': 0}
  - Person3:
	{'C:\\Windows\\System32\\svchost.exe': 2, 'C:\\Windows\\System32\\VSSVC.exe': 8, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 1, 'C:\\Windows\\explorer.exe': 0, 'C:\\Windows\\System32\\LogonUI.exe': 0, 'C:\\Program Files (x86)\\Dev-Cpp\\devcpp.exe': 0, None: 4829, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 6, 'C:\\Program Files\\LibreOffice\\program\\soffice.bin': 0}
  - Person4:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\System32\\VSSVC.exe': 0, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 0, 'C:\\Windows\\explorer.exe': 0, 'C:\\Windows\\System32\\LogonUI.exe': 0, 'C:\\Program Files (x86)\\Dev-Cpp\\devcpp.exe': 0, None: 646, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 6, 'C:\\Program Files\\LibreOffice\\program\\soffice.bin': 0}
  - Person5:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\System32\\VSSVC.exe': 16, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 5, 'C:\\Windows\\explorer.exe': 1, 'C:\\Windows\\System32\\LogonUI.exe': 0, 'C:\\Program Files (x86)\\Dev-Cpp\\devcpp.exe': 0, None: 1706, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 6, 'C:\\Program Files\\LibreOffice\\program\\soffice.bin': 0}
  - Person6:
	{'C:\\Windows\\System32\\svchost.exe': 0, 'C:\\Windows\\System32\\VSSVC.exe': 0, 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe': 0, 'C:\\Windows\\explorer.exe': 0, 'C:\\Windows\\System32\\LogonUI.exe': 0, 'C:\\Program Files (x86)\\Dev-Cpp\\devcpp.exe': 0, None: 0, 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe': 0, 'C:\\Program Files\\LibreOffice\\program\\soffice.bin': 0}
# event_data.KeyFilePath
  - Person1:
	{None: 0, 'C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\ecc6a3f47d6202c819b86de61d2f66bb_5d3d98af-075c-43a1-a7ba-2845b4aa4f42': 0}
  - Person2:
	{None: 0, 'C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\ecc6a3f47d6202c819b86de61d2f66bb_5d3d98af-075c-43a1-a7ba-2845b4aa4f42': 0}
  - Person3:
	{None: 0, 'C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\ecc6a3f47d6202c819b86de61d2f66bb_5d3d98af-075c-43a1-a7ba-2845b4aa4f42': 0}
  - Person4:
	{None: 651, 'C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\ecc6a3f47d6202c819b86de61d2f66bb_5d3d98af-075c-43a1-a7ba-2845b4aa4f42': 1}
  - Person5:
	{None: 1732, 'C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\ecc6a3f47d6202c819b86de61d2f66bb_5d3d98af-075c-43a1-a7ba-2845b4aa4f42': 2}
  - Person6:
	{None: 0, 'C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\ecc6a3f47d6202c819b86de61d2f66bb_5d3d98af-075c-43a1-a7ba-2845b4aa4f42': 0}
# event_data.SourceHostname
  - Person1:
	{None: 0, 'DESKTOP-P84STH6': 0}
  - Person2:
	{None: 0, 'DESKTOP-P84STH6': 0}
  - Person3:
	{None: 0, 'DESKTOP-P84STH6': 0}
  - Person4:
	{None: 0, 'DESKTOP-P84STH6': 0}
  - Person5:
	{None: 1591, 'DESKTOP-P84STH6': 143}
  - Person6:
	{None: 0, 'DESKTOP-P84STH6': 0}
# event_data.StartModule
  - Person1:
	{None: 0}
  - Person2:
	{None: 504}
  - Person3:
	{None: 0}
  - Person4:
	{None: 652}
  - Person5:
	{None: 0}
  - Person6:
	{None: 0}
# event_data.DestinationPortName
  - Person1:
	{None: 0, 'https': 0}
  - Person2:
	{None: 0, 'https': 0}
  - Person3:
	{None: 0, 'https': 0}
  - Person4:
	{None: 0, 'https': 0}
  - Person5:
	{None: 1697, 'https': 37}
  - Person6:
	{None: 0, 'https': 0}
# event_data.SourceIsIpv6
  - Person1:
	{None: 0, 'true': 0, 'false': 0}
  - Person2:
	{None: 0, 'true': 0, 'false': 0}
  - Person3:
	{None: 0, 'true': 0, 'false': 0}
  - Person4:
	{None: 0, 'true': 0, 'false': 0}
  - Person5:
	{None: 1591, 'true': 106, 'false': 37}
  - Person6:
	{None: 0, 'true': 0, 'false': 0}
# event_data.PrivilegeList
  - Person1:
	{'SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege\n\t\t\t\tSeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 26, 'SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege': 0, None: 467, 'SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 1}
  - Person2:
	{'SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege\n\t\t\t\tSeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 16, 'SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege': 0, None: 488, 'SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 0}
  - Person3:
	{'SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege\n\t\t\t\tSeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege': 30, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege': 0, None: 4816, 'SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 0}
  - Person4:
	{'SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege\n\t\t\t\tSeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 25, 'SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege': 1, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege': 1, None: 625, 'SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 0}
  - Person5:
	{'SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege\n\t\t\t\tSeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege': 40, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege': 0, None: 1694, 'SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 0}
  - Person6:
	{'SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege\n\t\t\t\tSeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege': 11, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege': 0, 'SeAssignPrimaryTokenPrivilege SeAuditPrivilege': 0, None: 707, 'SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege': 0}
# event_data.TargetUserSid
  - Person1:
	{'S-1-0-0': 1, 'S-1-5-21-223836497-1760142647-788189203-1001': 4, 'S-1-5-18': 26, None: 463, 'S-1-5-90-0-1': 0}
  - Person2:
	{'S-1-0-0': 1, 'S-1-5-21-223836497-1760142647-788189203-1001': 0, 'S-1-5-18': 16, None: 487, 'S-1-5-90-0-1': 0}
  - Person3:
	{'S-1-0-0': 1, 'S-1-5-21-223836497-1760142647-788189203-1001': 0, 'S-1-5-18': 30, None: 4815, 'S-1-5-90-0-1': 0}
  - Person4:
	{'S-1-0-0': 0, 'S-1-5-21-223836497-1760142647-788189203-1001': 0, 'S-1-5-18': 25, None: 623, 'S-1-5-90-0-1': 4}
  - Person5:
	{'S-1-0-0': 3, 'S-1-5-21-223836497-1760142647-788189203-1001': 0, 'S-1-5-18': 40, None: 1691, 'S-1-5-90-0-1': 0}
  - Person6:
	{'S-1-0-0': 0, 'S-1-5-21-223836497-1760142647-788189203-1001': 0, 'S-1-5-18': 11, None: 707, 'S-1-5-90-0-1': 0}